Avoid unsafe regex

dscho · dscho · commit fca2104f2814 · 2025-08-15T17:03:17.000Z
In 321c465 (misc-helper: start implementing the Pipeline side of the new strategy, 2018-12-19), I introduced a regular expression that could potentially be used to DoS the GitGitGadget Pipelines runner, via a crafted (and most likely invalid) slash command. The saving grace here is that only users who are already allowed to use GitGitGadget will even come as far with such a crafted command as to hit that parser. Nevertheless, it's better to be safe than to be sorry. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
diff --git a/lib/ci-helper.ts b/lib/ci-helper.ts
@@ -541,13 +541,13 @@ export class CIHelper {
             }
         }
 
-        const match = comment.body.match(/^\s*(\/[-a-z]+)(\s+(.*?))?\s*$/);
+        const match = comment.body.trim().match(/^(\/[-a-z]+)\s*(.*)$/);
         if (!match) {
             console.log(`Not a command; doing nothing: '${comment.body}'`);
             return; /* nothing to do */
         }
         const command = match[1];
-        const argument = match[3];
+        const argument = match[2].trim();
         const prKey = {
             owner: repositoryOwner,
             repo: this.config.repo.name,

Original file line number	Diff line number	Diff line change
`@@ -541,13 +541,13 @@ export class CIHelper {`
`541`	`541`	`}`
`542`	`542`	`}`
`543`	`543`
`544`		`- const match = comment.body.match(/^\s(\/[-a-z]+)(\s+(.?))?\s*$/);`
	`544`	`+ const match = comment.body.trim().match(/^(\/[-a-z]+)\s(.)$/);`
`545`	`545`	`if (!match) {`
`546`	`546`	console.log(`Not a command; doing nothing: '${comment.body}'`);
`547`	`547`	`return; /* nothing to do */`
`548`	`548`	`}`
`549`	`549`	`const command = match[1];`
`550`		`- const argument = match[3];`
	`550`	`+ const argument = match[2].trim();`
`551`	`551`	`const prKey = {`
`552`	`552`	`owner: repositoryOwner,`
`553`	`553`	`repo: this.config.repo.name,`